Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

cluebie lawfirm (or just ignorant)...

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
PostPosted: Tue Apr 14, 2009 9:42 pm    Post subject: cluebie lawfirm (or just ignorant)... Reply with quote
A couple of days ago, I noticed this neat entry in my logfiles:
Quote:
Apr 11 06:09:21 mail sm-mta[7892]: n3B49JTN007892: ruleset=check_rcpt, arg1=<spamery@tiscali.it>, relay=[69.15.38.26], reject=550 5.7.1 <spamery@tiscali.it>... Relaying denied. IP name lookup failed [69.15.38.26]
Apr 11 06:09:21 mail sm-mta[7892]: n3B49JTN007892: from=<spamery@tiscali.it>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA-v4, relay=[69.15.38.26]


Nothing out of the ordinary, just some presumably Russian/Ukrainian spammer (spamery is Russian for "spammer") who had hacked into a machine and was using it for relay testing.

Whois revealed a /29 SWIP belonging to a lawfirm, which further diminishes the odds that this "probe" has been done on purpose:
Quote:
CustName: Banks, Stubbs, Neville & Cunat LLP
Address: 309 Pirkle Ferry Rd Bldg F
City: Cumming
StateProv: GA
PostalCode: 30040
Country: US
RegDate: 2004-07-12
Updated: 2004-07-12

NetRange: 69.15.38.24 - 69.15.38.31
CIDR: 69.15.38.24/29
NetName: CBEY-69-15-38-24
NetHandle: NET-69-15-38-24-1
Parent: NET-69-15-0-0-1
NetType: Reassigned
Comment:
RegDate: 2004-07-12
Updated: 2004-07-12


I sent a heads up to Cbeyond's abuse team the same day and as it didn't bounce I thought this might lead to the machine being fixed before some actual damage occurs to this firm. Well, and today, after checking my logs I noticed the very same ipaddress in my firewall logs again...

mailserver
Quote:
Apr 15 04:44:36 mail kernel: Mail abuse: IN=eth0 OUT= MAC=00:30:05:e3:86:98:00:0f:35:b2:00:fc:08:00 SRC=69.15.38.26 DST=91.143.81.187 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=46047 DF PROTO=TCP SPT=63760 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 15 04:44:38 mail kernel: Mail abuse: IN=eth0 OUT= MAC=00:30:05:e3:86:98:00:0f:35:b2:00:fc:08:00 SRC=69.15.38.26 DST=91.143.81.187 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=46687 DF PROTO=TCP SPT=64078 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 15 04:44:41 mail kernel: Mail abuse: IN=eth0 OUT= MAC=00:30:05:e3:86:98:00:0f:35:b2:00:fc:08:00 SRC=69.15.38.26 DST=91.143.81.187 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=46920 DF PROTO=TCP SPT=60156 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0


streaming server
Quote:
Apr 15 04:44:52 stream kernel: Mail abuse: IN=eth0 OUT= MAC=00:30:05:e3:86:98:00:0f:35:b2:00:fc:08:00 SRC=69.15.38.26 DST=91.143.83.114 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=47767 DF PROTO=TCP SPT=61039 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 15 04:44:55 stream kernel: Mail abuse: IN=eth0 OUT= MAC=00:30:05:e3:86:98:00:0f:35:b2:00:fc:08:00 SRC=69.15.38.26 DST=91.143.83.114 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=48101 DF PROTO=TCP SPT=61298 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0
Apr 15 04:44:57 stream kernel: Mail abuse: IN=eth0 OUT= MAC=00:30:05:e3:86:98:00:0f:35:b2:00:fc:08:00 SRC=69.15.38.26 DST=91.143.83.114 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=48247 DF PROTO=TCP SPT=61481 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0


Given that 69.15.38.26 neither accepts SMTP nor HTTP requests, it's obviously the same spamery probing for relays on port 25, like my streaming server has ever accepted mail or been added as MX before.

This leaves two possible conclusions:
1. Cbeyond do not care and silently direct complaints to /dev/null
2. The lawfirm hasn't got the faintest clue about how to deal with the problem
3. Any combination of the previous two points.

Whatever it is, it shows to me that traffic from 69.15.38.24/29 should not be accepted and that it might be unwise to use Banks, Stubbs, Neville & Cunat LLP services if they are incapable of securing their working environment. For instance, just consider customer data lying around unprotected and the same Russian/Ukrainian fellow getting hold of it and selling it to fellow criminals for targetted "marketing".

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group